| June 11, 1999 Secretary, Federal Trade Commission RE: Children’s Online Privacy Protection Rule – Comment, P994504 Dear Mr. Secretary: The Interactive Digital Software Association (IDSA) appreciates this opportunity to comment in the above-captioned proceedings. Formed in 1994, the IDSA serves the business and public affairs needs of companies that publish video and computer games for consoles, personal computers, and the Internet. Member companies of the IDSA collectively account for more than 90 per cent of the $5.5 billion in entertainment software sold in the U.S. in 1998. Sales through early 1999 are up an additional 15-20 percent, on top of a 25% growth rate in 1998. IDSA member companies were among the earliest active participants in electronic commerce over the Internet. Today, the online presence of these companies is crucial to their business operations, not only for promotion and marketing and for online sales of their products, but also for the development of virtual communities of game players, and for actual online delivery of the companies products. In fact, online gaming, in which computer games are actually played online, in real time, by pairs, scores or even hundreds of simultaneous users who may be scattered across the globe, is a rapidly expanding segment of the entertainment software market, and is expected to be even more important after the year 2000, as network performance and bandwidth are upgraded. It is estimated that the online game sector generated $250 million in 1998 and within five years may equal 20% of total industry revenues. Thus, questions of how IDSA member companies collect, use and disseminate personal information online, and how these companies can best meet the privacy expectations of their customers and comply with applicable laws and regulations, are not peripheral matters, but go to the very heart of their businesses. On October 14, 1998, the IDSA Board of Directors unanimously approved the IDSA Principles and Guidelines for Fair Information Practices, along with Supplemental Guidelines for the Online Collection and Use of Personal Identifying Information from Children (collectively referred to as the IDSA Guidelines). These self-regulatory guidelines are intended to serve as a basis upon which IDSA member companies will build their own policies for the online protection of personally identifiable information. The adoption of the IDSA Guidelines is thus a significant step forward in the effort to protect the privacy of consumers online through voluntary self-regulation by responsible industry players. A copy of the IDSA Guidelines, with their accompanying commentary or implementation guidance, is attached to this letter. IDSA has just completed a vigorous campaign to encourage and assist its member companies to implement information policies consistent with the IDSA Guidelines by no later than May 31, 1999. Currently 23 out of 36 member companies are in compliance with the IDSA Guidelines. The IDSA Guidelines recognize the special issues that arise from the online collection and use of personal identifying information from children. As the Guidelines note, "the online collection and use of personal data from children … should be subject to a more rigorous set of guidelines" than those applicable to online data collection generally. The IDSA Guidelines applicable to the collection of personal identifying information from children aged 12 and under require prior parental consent – on an opt-in basis – whenever the information in question either would enable someone to contact a child offline, or would be publicly posted or disclosed to third parties. These principles are fully consistent with the requirements of the Children’s Online Privacy Protection Act ("COPPA"), Title XIII of Public Law 105-277, and thus with the Proposed Rules involved in this proceeding. The IDSA Guidelines go further than the statute, however, by recommending to IDSA members that they provide notice to parents whenever personal identifying information is collected from children aged 13-17, and give parents the choice to remove such information from the site’s database, on an opt-out basis. This recommendation substantially exceeds the requirements of COPPA (which applies only to children under 13) or of any other applicable law.
Because COPPA and the Proposed Rules impose considerably more stringent requirements on the operators of sites and services "directed to children" under the age of 13 than are applicable to the operators of all other websites or online services, the definition of this phrase is a crucial threshold question in delineating the scope and impact of the statute. The definition in the Proposed Rules fleshes out the statute by identifying some factors that the Commission would take into account in determining whether a particular site or service is "targeted" to children, such as its subject matter, content, language employed, advertising practices, evidence about the actual and the intended audience, and "whether the site uses animated characters and/or child-oriented activities and incentives." IDSA recognizes that it is impossible to provide in advance a definitive checklist of factors that will be determinative in deciding whether or not a site or service is "targeted" to children under 13, and that the Commission must retain flexibility in its enforcement efforts, especially in a new and rapidly evolving medium such as the Internet. We urge, however, that the Commission delve a bit deeper into the available evidence in order to provide some clearer guidance to the online industry as to the boundaries of this crucial definition. For instance, the Commission should take note of demographic studies that show that children are a diminishing minority of the video game and entertainment software market, and an even smaller share of those who go online to participate in game-playing. In the most recent IDSA survey, seventy percent of those who play games on the personal computer platform were over the age of 18, as were 57% of the most frequent users of video game consoles (such as Nintendo, Sony PlayStation, and Sega). It thus seems highly unlikely that sites catering to the interests of computer game and video game fans would, in most cases, be "directed" or "targeted" at players under 18, much less at the pre-teenagers who fit the statutory definition of "children" under COPPA. For those sites that actually offer games for online play, the statistics are even more compelling: 79% of online gamers are between the ages of 25 and 55 – a fact reflecting the reality that most on line games require payments with credit cards. Thus, in the absence of strong and specific indicia that pre-teenagers are being targeted, the vast majority of sites devoted to fans of video games and computer games, as well as those which offer users online gaming opportunities, should be presumed to fall outside the scope of COPPA and the Proposed Rules. Because the nature of our industry is majority adults and the minority is under 13, some sites have mixed uses in certain area. IDSA also urges the Commission to eliminate as a definitional criterion whether a site uses "animated characters." This indicator, which we assume originated in the television medium, may be of decreasing validity even there, in today’s environment of "South Park" and other popular animated shows clearly not directed at young children. In video games and entertainment software, "animated characters" are ubiquitous and indeed almost unavoidable, as they are on the World Wide Web as a whole. Numerous games rated Mature and targeted at older users are animated, reflecting the fact that as advanced as the medium is, we have not yet reached the point where game characters and worlds are realistic (full motion video in games remains rare). Even in the most advanced games, characters are animated computer-generated creations. Even office productivity software aimed exclusively at white collar workers – a category from which pre-teens are almost totally absent – rely upon animated characters to convey information or to enliven otherwise boring screens. The presence of animated characters is no way whatsoever probative of whether or not a site or service is "targeted to children," so the Commission should not take that presence into account in applying the statutory definition. The Commission should consider a more direct explanation that defines animated characters, and should remember almost all games involve animated characters and not all games are targeted to children.
IDSA fully agrees that, on websites directed to children, the notice of information practices should be clearly displayed. IDSA’s Guidelines require that a link to the IDSA member company’s privacy policy appear on the first page of the website, and at every point at which the member company requests personal identifying information online from "a consumer with whom it does not have a previous relationship." The Proposed Rules go a bit further, and perhaps further than necessary, requiring a "prominent link to the notice at each place … where children directly provide, or are asked to provide, personal information…". Proposed Rule 312.4(b)(1)(iii). Once parental permission has been obtained and the child is participating, with full knowledge and consent of the parent, in an activity in which personal identifying information is collected, it may not be necessary to provide this link at the point of each successive collection. The Commission may wish to consider some variation on the IDSA’s Guidelines’ formulation with regard to children with whom the collecting web site has a "previous relationship" that has been approved by the parent. We also agree that a link labeled "About Us" or "What We Do" is not particularly informative about what lies beyond the next click. The Commission would do well to give some examples of hyperlink labels, which do adequately lead users to a statement of information collection practices, rather than simply saying that these links should have "informative names." In particular, it is not clear from footnote 8 whether the Commission considers the label "privacy policies" to be sufficiently informative. Placing the privacy policy at the bottom the homepage has been a de facto standard since the posting of privacy policies. To have privacy policies posted at the bottom of the homepage of each website is easier for the consumer in the sense of that they will automatically know where to look for the posting of the privacy policy.
Proposed Rule 312.4(b)(2)(iv) provides that a parent must have "the option to consent to the collection and use of their[sic] child’s personal information without consenting to the disclosure of that information to third parties." Proposed Rule 312.5(a)(2) also requires that parents be given this option. While IDSA firmly believes (and its Guidelines clearly reflect) that parental consent must be obtained before a child’s personal identifying information may be disclosed to third parties, these Proposed Rules could be read to go a step further, forbidding site operators from having a policy under which all personally identifying information collected (with prior parental opt-in consent) on a site or in a particular area is available for disclosure to third parties. Some sites offer an opt in or opt out option and consumers should not be allowed to fine tune the opt out option. This would only make it that much harder for the website. In effect, this interpretation would conflict with section 1303(b)(3) of COPPA, which preserves the site operator’s right "to terminate service provided to a child whose parent has refused … to permit the operator’s further use … of personal information from that child." Section 1303(b)(3) applies in those cases in which the refused "further use" is disclosure to a third party. For reasons of efficiency and ease of administration if nothing else, a site or service operator may (and is entitled under COPPA to) adopt an "all-or-nothing" policy, under which a parent cannot consent to collection of information but veto its disclosure to third parties. To maintain consistency with the statute, the Commission should consider deleting the last phrase of Proposed Rule 312.4(b)(2)(iv) and the entirety of Proposed Rule 312.5(a)(2).
IDSA urges the Commission to reconsider the statement made in the commentary to Proposed Rule 312.4[c] that "a new notice and request for consent will be required… if the operator wishes to… disclose [information] to … parties created by a merger or other corporate combination involving existing operators or third parties." This requirement could prove extremely unwieldy and impractical to implement, especially in dynamic Internet-based industry sectors in which new "corporate combinations" emerge almost every day. Assume, for instance, that a website or online service operated by company A collects information on Johnny Doe on January 1 and on Janie Roe on February 1 (with all appropriate required parental consent in both cases). In neither case did A seek consent for disclosure of the data to third parties. What if A is acquired by company B on January 15, and on February 15 seeks to share the data on Doe and Roe with a unit of B, for a purpose falling within the notice given to the parents of both children? Must the data be segregated into that acquired before and after January 15, so that Janie’s data may be shared with the B unit while Johnny’s is held back pending receipt of a new opt-in consent from his parent? Since Johnny’s parent has already consented to the particular use in question, why must a new consent be obtained just because that function can now be carried out "in house" rather than by a third party? This proposal becomes even more problematic if it involves a third party involved in a "corporate combination." Assume that a parent gives company X consent to third party disclosure for specified purposes, but the specific third party is not identified in the notice. (Proposed Rule 312.4(b)(2)(iv) allows this; the notice need only identify the "types of businesses in which such third parties are engaged." Pursuant to this consent, and in accordance with a contract, X periodically makes its data available to company Y. If company Z acquires Y, does the consent given by the parent become void – even though the consent was in no way conditioned on the identity of Y as the third party recipient of the data? Is X barred from fulfilling its contractual commitments to provide data to Z until it has obtained new consents from parents of all the children in its database? Since Y’s identity was not sufficiently material to require specific consent for a disclosure to Y, should Z’s identity be treated any differently? The implication that a "corporate combination" nullifies all consents given prior to its effective date, whether or not the corporate identity of the information collector or recipient is disclosed or even material, sweeps quite broadly and could threaten to impede, or at least to make much less efficient, acquisition and divestiture activity in some market segments in which customer data constitutes a valuable asset. The Commission’s comment should be reconsidered and either stricken or substantially narrowed to those instances in which the change caused by the "corporate combination" would materially impact a parent’s decision to grant or refuse consent. 5. Mechanisms for verifiable parental consent IDSA members are exploring various means of reliably obtaining verifiable consent, and with more experience may be able to comment more knowledgeably on what methods work and which are unduly burdensome. The IDSA members have experimented with the different methods that the FTC has provided for parental consent, and would support any electronic method. This seems to be the most cost efficient and less burdensome method. The IDSA members are waiting to hear the FTC’s finding on the best method of consent. 6. Right of parent to review personal information provided by child The Commission should take the opportunity of issuance of the Proposed Rules to clarify an ambiguous provision of the statute, section 1303 (b)(1)(B)(iii), which requires site operators to give parents "a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child." To the extent IDSA members retain personally identifying information about children under the age of 13, most of the information will probably have been obtained offline rather than online. For instance, identifying information about a child who purchases a video game in a retail store may come from the same child who registers (with parental permission) at an online site dedicated to chat and other activities relating to that game (or perhaps to a different game). However, the online and offline information may be held in two separate databases by two separate divisions of the company, and it may not even be clear that the same child is the source of the two data entries. IDSA suggests that Congress did not intend that, in response to a request from the parent of a child who has provided personally identifying information online, the company operating the site must scour all its databases for "any personal information collected from that child," even if entirely unrelated to the online collection. The phrase "reasonable under the circumstances" certainly suggests that our interpretation accurately captures Congress’ intent, since the time and expense that might be required to canvass all the company’s data would often make this an "unreasonable" means for complying with the parent’s request. IDSA urges the Commission to (a) reinstate the statutory phrase "that is reasonable under the circumstances" after "means" in Proposed Rule 312.6(a)(3), and (b) add the phrase "via that website or online service" after "child" in the same Proposed Rule. As revised, the beginning of the subparagraph in question would now read, "notwithstanding any other provision of law, a means that is reasonable under the circumstances of reviewing and making changes to any personal information collected from the child via that website or online service." 7. Criteria for approval of self-regulatory guidelines How does the Commission want companies to show compliance? Do they want the Trade Association certify full compliance by a member, must a member company prove compliance with each requirement in the guidelines, or is it sufficient for a company to demonstrate a clean record of compliance with a certified seal provider? 8. Retrospective application of the Rules to existing data. The Commission’s Overview of the Proposed Rule states that it "protects personal information collected from children prior to the effective date of the final Rule if an operator wishes to use such information in the future." The statute itself is far from clear on this point. The only act specifically prohibited by section 1303(a)(1) is the collection of personal information in violation of the Commission’s regulation, not the use of information collected without adequate safeguards. As to the regulations required by section 1303(b)(1), they apply only to an entity that "collects" personal information on websites and online services directed to children (or that "is collecting" such data with actual knowledge that the source of the data is a child); the statute never uses any form of the past tense, nor otherwise suggests that the regulations may be applied to the use of data collected in the past. Practical considerations counsel the Commission to rethink its conclusion that the Proposed Rules, once they become final, may be applied retrospectively to data collected before they became final, before they were proposed, or even before COPPA was enacted. Identifying the data that would become subject to such retrospective regulation would be a difficult undertaking. In a case where the data does not reveal the age of the data source (so that the operator could not be charged with "actual knowledge" that it was collecting data from a pre-teenager), the applicability of the Rules would turn on whether the site or service through which the data was collected was, at the time of collection, "directed to children." As discussed above, this is a difficult question to answer definitively even in "real time"; on the fast-changing Internet, reconstructing the content, advertising practices, and audience parameters that pertained to a Website two or three years in the past would be a formidable undertaking. Furthermore, many companies may well have commingled data collected in the past from websites directed to children and those not so directed. Unscrambling the egg in these cases would be difficult and time-consuming. Finally, one experience that nearly all IDSA members share in common with other companies that have adopted new fair information practices in recent years is the complexity of implementation. It is not possible to eliminate this complexity, with its attendant expense and delay, from the implementation process, but at least it can be held to a manageable level by applying the new practices and policies only prospectively. IDSA urges the Commission to re-examine its position on this question of retrospective application. Whatever marginal privacy benefits its current position might deliver to a shrinking group of children (each growing closer to age 13 daily) whose data was collected in a way that falls short of today’s standards is far outweighed by the costs retrospectively imposes on companies within and outside IDSA who are already working hard to bring their ongoing operations into full compliance with COPPA. Respectfully submitted, Douglas Lowenstein |